Panic, Privacy, and You

Overview

Our privacy policy is simple: your data is none of our business.
We make money by selling software, not by mining your personal information.

To the extent that our apps and websites can provide their functionality without doing so, we
prefer to avoid collecting data from you.

In the cases where we do collect
data, we try to be clear about why we're collecting it, tell you how long we keep it,
delete it when we no longer need it, and give you the ability
to opt out of collection whenever possible.

We use modern security measures to protect collected data, and limit access
to only those employees who require access to perform their jobs. We may be legally required to disclose
collected data to law enforcement or government agencies in some situations.

Website Purchases

If you purchase a product directly from our website, we collect your:

full name

address

company name (optionally)

email address

The purpose of collecting this information is to identify you in the future as a license owner of one of our applications. We may need to verify you are a license owner if, for example:

you contact us for support

you request a receipt or invoice

you request a refund

you request that we re-send your serial number

you wish to receive discounted upgrade pricing on an app you've previously purchased

Because addresses, both real-world and electronic, tend to change over time, having more than one piece of identifying information helps ensure we can find a record of your purchase should you need help down the road.

We do not sell or otherwise disclose this information to third-parties, except as required to complete your transaction. For example, we send it to our credit card processor once at the time of purchase in order to authorize the transaction.

We do not collect or store your credit card number, expiration date, or CVV code. When you purchase from our website, your credit card details are routed directly from your browser to our credit card processor, and are not stored on any Panic-owned server even temporarily.

You may update your personal information with us at any time by emailing support@panic.com.

We retain the personal information related to your purchase indefinitely to facilitate support interactions, unless you ask us to remove it. To request removal of your personal information related to a purchase, contact support@panic.com. If you do this, be sure to keep a copy of your purchased serial numbers, as we will no longer be able to look them up once we have removed your identifying information from our system.

Support Interactions

When handling support requests from you, we collect:

your email address (or Twitter handle, if you contact us via Twitter)

any information you provide voluntarily (such as crash logs or other diagnostic info)

This information is collected solely to help resolve your support inquiry. We retain support emails indefinitely in order to:

have context from previous interactions which may help us answer your future questions more quickly

identify broad trends in support requests, which may help us identify and solve problems with our products

We look only for broad patterns in the aggregated usage data, such as whether
or not a particular feature is frequently used, or whether users in general
prefer one setting over another. This helps us make informed decisions about
the future development of our apps.

To be clear, we do not track individual user behavior in our apps. We do not receive information
from your device's displays, cameras, or microphones.

We retain usage analytics data for 30 days.

Crash Logs

By default, if one of our apps crashes while you're using it, anonymized data about the crash will be
collected to help us identify the cause of the crash and hopefully fix it in a future update. These "crash logs" contain information such as the state of the app, operating system, and device at the time of the
crash, but not your private data.

In our direct download Mac apps, you may have the option to provide your name, email address, and additional comments when submitting a crash report, but this information is not required. If you do not voluntarily provide your name or email address, nothing else in the crash log can be used to personally identify you. Whenever possible, the app will allow you to review the entire contents of the crash log before you decide whether or not to send it.

Apple may also collect crash logs if the privacy settings of your device allow it.

Update Checking

By default, our Mac apps periodically check to see if a newer version of the app
is available, so that you can be given the choice to update if you wish.

For iOS apps or apps acquired from the Mac App Store, update checking behavior
is managed by the operating system, and the relevant information is processed by Apple.

For apps acquired via direct download from Panic's website, an update check
request will be occasionally sent to a Panic-owned server. This request
contains the name and current version of the app you are using, and a small
amount of metadata about your device (such as which operating system version
it is running, and your preferred language) which may be necessary to guide
you to the correct update version.

You may turn off update checking from the
app's preferences window.

Similarly, some of our apps also check with a Panic-owned server when opened to see if there is news about the app to show you.
We call this the "soapbox". We might use the soapbox infrequently to, for example, alert you to a significant app update or advise you on how to work around a serious bug. Soapbox requests send only similar metadata to an update check, and no private data is sent.

We retain metadata from update checking and soapbox requests for one week.

Email List

You may be given a one-time opportunity to sign up for
our email newsletter the first time you open one of our apps. If you decline, no data
will be sent. If you accept, the email address you provide will be added to our email list.

Our email list is low volume (only a few messages per year is typical)
and is generally limited to announcements of important new versions of our
apps or significant new product releases.

We do not sell or otherwise disclose any portion of our email list to third-parties,
with the exception of the vendor that provides our mailing list services as necessary to distribute the emails.

If you join our email list, we retain your email address until you ask to be removed. Instructions on how to unsubscribe
are contained in all messages sent to the email list. For your convenience, you can also unsubscribe directly, below.

Activation

Activation is the process by which our applications verify that you are a legitimately licensed owner
of the Panic product you're using.

For iOS apps or apps acquired from the Mac App Store, no activation request
is sent to Panic-owned servers. Verification of your purchase may occur by processes and servers
managed by Apple in this case.

For apps acquired via direct download from Panic's website, an activation
request is performed when you enter a serial number to unlock the app, and
may be repeated from time to time by already activated products.

The activation process consists of a single request sent to a Panic-owned
server, containing encrypted information about the serial number you entered
into the app. The server verifies whether the serial number is valid,
and replies with a digitally signed confirmation if so. Otherwise, an error
message is sent back for the app to display to you.

We retain a log of activation requests for one week.

Logging

When you interact with our servers using a web browser, or indirectly by
network requests sent on your behalf by our apps, some metadata about the
request is logged. This metadata may include:

your IP address (may reveal your approximate geographic location)

the name of the resource requested

the name and version number of the software making the request (may reveal information about your web browser, operating system, and their configuration)

whether or not the request was successful

current date and time

We generally don't look at these logs unless a server is malfunctioning or appears to be
getting used in a malicious way. We may look at the information in
aggregate to see broad statistics such as how many times our apps have been
downloaded, or from which source an unusually high amount of network traffic is arriving.

We retain web server logs for two weeks.

Third-Party Vendor Services Used

Credit card processing for purchases from our website is provided by Stripe.

PayPal is used for purchases from our website where PayPal is selected as the payment method.

Data Not Collected

Except as described above, and as required to perform the application's core functionality at the user's request, Panic apps do not send out any private information. This includes:

Information from device sensors

Your keyboard input

Screen contents

Network traffic

Hostnames

Usernames

Passwords

SSH / Encryption keys

Contents of files you are working with

Apps like Transmit, whose core purpose is to send and receive your
documents over a network, will, of course, send and receive your documents
at your request, but not to Panic or any other third party.
Documents in transit will be encrypted only if you use a protocol which supports encryption, such as
SFTP, HTTPS, etc., in conjunction with a correctly configured server. It is your responsibility to be aware of the security
implications of the file transfer protocols you choose to use. Plain FTP is not encrypted.

Panic Sync

Some of our apps provide an optional feature called Panic Sync, which
replicates app configuration data across multiple devices you control. If you
choose to use Panic Sync, we will collect and store the data necessary to
provide the syncing feature. This data will be encrypted before transmission
and stored in a way that is unreadable, even by Panic employees.

Refer to the Panic Sync page for specific details on its implementation.

The only way to retrieve the encrypted data stored in your Panic Sync account is to log in from one of the Panic Sync client apps and allow it to sync.

Opting Out

To opt out of certain types of data collection in one of our apps:

On iOS: refer to the Privacy section in the app's Settings screen.

On macOS: open the app's General preferences panel and uncheck "Send Crash Reports and Statistics".

This will prevent these specific types of data from coming to us, but be aware that the operating system may still collect crash logs and other analytics and send them to Apple unless you have disabled that separately in the operating system's settings.

Backed-up Data

As you might expect, we keep backups of company data so that a catastrophic data loss event doesn't put us out of business. Although collected personal data expires from our "active" data set according to the schedules mentioned above, it may persist in backups for up to 6 months. Backups are only accessible to specially privileged employees who perform system administration tasks. We consider the backups "cold storage" and we don't pull data from them unless a significant data loss event has occurred.

Rights of EU Citizens Under GDPR

Citizens of the EU may exercise their rights under the General Data Protection Regulation, such as the rights of access and erasure, by contacting us with their request. We recommend emailing the request to gdpr@panic.com.

Questions and Feedback

Our privacy policies might change or be edited for clarity over time. Up-to-date information will always be available from this page.

Please contact us if you have any questions about our data collection or
privacy policies. We'll be more than happy to discuss them with you.